Celebrity credit reports posted by ID thieves taken from free website

Details from some of the famous identity-theft victims whose personal information was mysteriously published online were fraudulently obtained from a government-mandated website designed to make it easy for consumers to access their credit reports, credit agency officials said.

At least four of the high-profile celebrities and political figures—who include Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were "accessed inappropriately" from annualcreditreport.com, a spokesman for credit agency Equifax told Ars. The site allows consumers to obtain a free copy of their credit reports by entering their birth dates, Social Security numbers, and home addresses and then answering several multiple-choice questions involving previous addresses, mortgages or loans taken out, and similar types of information. Once someone provides the correct answers, he gets access to a report providing a wealth of additional personal information, including loan and mortgage details, phone numbers, and previous addresses.

"What it appears happened is that personal identifiable information was evidently accessed or somehow obtained by the fraudsters who therefore were able to go into annualcreditreport.com and get some pieces of information on some individuals," Equifax spokesman Tim Klein said in an interview. "It's four individuals that we can confirm that were accessed inappropriately by fraudsters by going through annualcreditreport.com and procuring some information off their Equifax credit report."

Klein declined to name the specific individuals whose information was fraudulently obtained. But he did confirm to Ars that all four were among the 20 people whose sensitive personal information was posted on the exposed.su website that surfaced on Monday.

Statements issued by the other two credit agencies, TransUnion and Experian, reported similar compromises. TransUnion said perpetrators used "considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports." For its part, Experian said "criminals accessed personal credential information through various outside sources, which provided them with sufficient information to illegally access a limited number of individual reports from some US credit reporting agencies." Neither agency said how many individuals were compromised or confirmed that they were the same celebrities and political figures whose details were aired on the exposed.su.

No previous experience required

TransUnion portrayed the perpetrators as "sophisticated," but in an age of Internet search engines and social media, the level of skill required to illegally access someone else's data is shockingly low. Much of the information the credit agencies use to confirm visitors' identities—for instance the street or county of a former address or the year a home mortgage was obtained—is readily available or at least inferred online. Further opening the process to fraud, questions are frequently repeated from agency to agency and are asked in multiple-choice fashion. If a someone tries and fails to abuse annualcreditreport.com to access someone's credit report from Experian, for instance, he can start over and try to use annualcreditreport.com to access the same person's credit report from TransUnion and Equifax. Since all three agencies ask many of the same questions, criminals increase their chances of success with each attempt.

"You sometimes will get the same question when you go to a different entity," said Dan Clements, team member CloudEyz.com, a virtual lost and found service. The take-away, he said: Once identity thieves know someone's Social Security number and birth date, obtaining a credit report is largely a guessing game.

Exposed.su surfaced on Monday with the personal information of a handful of household names, including the credit reports of Jay Z and socialite Kim Kardashian. In the 36 hours since then, the roster of high-profile identity theft victims has grown. At time of writing it included 20 individuals. In addition to those named above, they included First Lady Michelle Obama; former Vice President Al Gore; former vice presidential candidate Sarah Palin; former Secretary of State Hillary Clinton; Los Angeles Police Chief Charlie Beck; former California Governor Arnold Schwarzenegger; actor and director Mel Gibson; actor Ashton Kutcher; businessman Donald Trump; former wrestler Hulk Hogan; pop singers Kanye West, Beyoncé, and Britney Spears; and socialites Kris Jenner and Paris Hilton.

In the past, the measures the credit agencies took to confirm the identities of people accessing their free credit reports may have been adequate. But in an age of Twitter, Facebook, and Google, those measures are clearly outdated. It may be possible that the people who used annualcreditreport.com to illegally access information in credit databases were sophisticated. But there's just as good a chance they were astute social network users who got lucky.

54 Reader Comments

Some of the questions required to access credit reports can be very in depth and may not always be available online. For example, it may ask you old phone numbers you had, previous addresses you lived at, the current or former model of car you own(ed) and so forth. But with celebrities giving out interviews with all sorts of detailed information to a vast amount of media organizations, this type of data is probably pretty easy to find. An article from Gawker details how easy it is to find out information about celebrities -- information that was used to access their online email accounts and cell phones to steal their nude photos back in 2012: http://gawker.com/5905749/heres-how-eas ... -hollywood

Psst... You're not doing a very good job hiding the fact that you've invented a time machine, Dan. "...former First Lady Michelle Obama..." I know it saves time to have 2017 Dan write some posts, but make sure 2013 Dan checks them over:)

Some of the questions required to access credit reports can be very in depth and may not always be available online. For example, it may ask you old phone numbers you had, previous addresses you lived at, the current or former model of car you own(ed) and so forth. But with celebrities giving out interviews with all sorts of detailed information to a vast amount of media organizations, this type of data is probably pretty easy to find. An article from Gawker details how easy it is to find out information about celebrities -- information that was used to access their online email accounts and cell phones to steal their nude photos back in 2012: http://gawker.com/5905749/heres-how-eas ... -hollywood

Lots of people post their phone numbers and their choice of cars online. Once this information has been published, it's a permanent part of the internet record. What's to stop a savvy ID thief from dredging up that information years later?

For those people already in possession of stolen SSN's, I would guess this was the next logical step. Naturally, celebrities are the perfect target for this sort of thing simply because of all the available information that is out there; but I don't really see this as a failure of security, not in terms of annualcreditreport.com, anyway. I'm not sure what else could be done in terms of improving the means of verification; at least not in a way that keeps it from being reasonably accessible as required by law. Heck, my last trip to the site required me to identify a phone number I hadn't had in 10 years. It was pure luck that I had it stored away in an old email of mine.

What's a good verification scheme that 1)Is easily implemented by the website, and 2)Practical for the majority of Americans to utilize?

Colour me confused but how would they have got SSNs? wouldn't this mean access to another database? some sort of employee of a company they have all provided SSNs to? Or looking through the trash at their houses?

I'm not American, Where I live any personal identifiers are kept as a hard copy only I have access to. Obviously this may have been provided to banks etc. as proof of ID.

Lots of people post their phone numbers and their choice of cars online. Once this information has been published, it's a permanent part of the internet record. What's to stop a savvy ID thief from dredging up that information years later?

True, but at what point do you draw a line in terms of complicating the process? The reality is, the credit companies are verifying information that is a matter of public record in addition to your (presumably) private information. Your social security number is really the lynch pin of the whole scheme, for better or worse.

Lock your credit and only unlock when you need it. It costs a few bucks to do a temporary unlock when applying for credit but it's worth the money. (One-time PINs arefree but many companies use automated systems that do not work with PINs.)

This problem has not been escalating, it is as bad as it ever was. The only reason this is getting so much attention now is because of the people it has hit this time. There is no difference between who was targeted this time than any other attack other than how rich they are and/or what job they have. Something will be done this time, but it will be a knee-jerk reaction that will do as much, if not more, harm than good, because politicians were caught with lobbyist in their pockets telling them not to make any reasonable regulations that could soften the impact when someone has their identity stolen. Would it be unreasonable to make it illegal for any company from asking for a person's social security number for anything other than for reporting an individual's income if the person is an employee of said company? You know like the original intended purpose of the social security number? These shenanigans that are going on right now are a joke, and the average citizen is going to be the butt of that joke with disastrous results. And it's all because lobbyist were in the pockets of congress until people who have more collective wealth than said lobbyist. It's sad that change doesn't happen unless it affects the rich, and even then, the change will be for the worse.

The easy-to-use website feels like the kind of misplaced good intentions combined with poor implementation that occurred with the design of sub-prime mortgage lending. Except this time, well, fuck government.

I have routine access to everything I need in order to "dox" anyone of my clients, most of my friends, and a surprising number of acquaintances. If taking publicly-available information and putting it on an ugly web page constitutes hackery, I'm a god, and you should all bow before me.

Hell, I even handle paying myself for some of my clients. And it's not like they've given me extraordinary access.

Here again, I'm in the odd predicament of recognizing why this is alarming, and understanding why it is not at all surprising.

The unsurprising part is that all of this is available with minimal effort online.

I guess the only alarming part is, you don't need much more than what's already publicly available in order to facilitate some genuinely seedy behavior.

I think it's not so much privacy we should be worried about, as much as the ease with which casual breaches in privacy afford authority elsewhere in society, such as with securing lines of credit and other trust-based transactions.

Are you still asking for my mother's maiden name and the city I was born in? Not sure I want to be doing business with you.

There were a couple of sites out there describing this as "the most boring hack in history." Considering how the public at large views hacking, I'm willing to bet they would think it is all boring if they knew how tedious and technical it could really be- how... un-Swordfish-like.

I, on the other hand, fully appreciate the craziness of releasing such hard-to-find information. Not condoning it, of course, just appreciating it as something that isn't the least bit "boring." At the end of the day, a whole lot of cracking is just manipulating machines and systems to get at that hard-to-get-at information.

What's a good verification scheme that 1)Is easily implemented by the website, and 2)Practical for the majority of Americans to utilize?

Authenticate yourself to a third party that gives you a one time use token for the credit report. For example, login to your bank, credit card company, or mortgage lender's website and click the "free annual credit report" link, get your token, pop it in to the credit report site.

Perhaps I'm oversimplifying, but I know that I have a number of accounts that I already *have* to trust with SSNs and other information used to verify my identity on the credit card report sites. Why not leverage that relationship to give me access to the credit report site?

I wonder if like those auto-warranty robo-calls that harassed people to death and took quite a few people for a ride, it takes hitting a celebrity (or two senators on a golf course) before anything actually gets changed. I guess we will see....

The easy-to-use website feels like the kind of misplaced good intentions combined with poor implementation that occurred with the design of sub-prime mortgage lending. Except this time, well, fuck government.

Er wut?????? How is this problem caused by government? This problem is because of lax security on private web sites owned by monstrous private-data-aggregating corporations (and I mean monstrous in several of its meanings).

The only involvement of government here is to slightly level the playing field enough so that the data subjects (i.e. humans i.e. us) that they mine and sell for profit at least have the right to find out what they are saying about us, by mandating that free credit reports be made available.

If you think the answer would be to remove the government mandate and cut off citizen access to this information, I've got news for you. There are probably about 200 million angry citizens out there ready to *stomp* any crazy "down with the gubmint"-tard that tries.

Up here, in the cold parts of northern Europe, we have a solution to this problem. It's known as personnummer and BankID.

Personnummer is a number that identifies a single human. Think social security number, but without any illusion that it's private or secret information. Your personnummer has the form YYYYMMDD-XXXX and is handed to you at birth. It is not changed, outside some very specific situations. It is used in all official communication with state, county, companies and the like. We have a number with a similar structure for organizations, but it does not stick to the date format making it trivial to tell them apart.

To combine with this we have a national authentication infrastructure known as BankID. The BankID is stand alone application based on public key cryptography. It is supplied to you by one of the major banks in Sweden. By using BankID you can authenticate against a website, proving that you are a holder of a specific personnummer. When I log in on the website of the tax authority to do my taxes I use BankID, for example.

These rather basic pieces of technology ensures we don't have rely on people telling us what color their first car was, or what bank they had their first mortgage in, to authenticate against a site handing out sensitive information. I think America have a lot to gain if something similar is implemented.

Up here, in the cold parts of northern Europe, we have a solution to this problem. It's known as personnummer and BankID.

Personnummer is a number that identifies a single human. Think social security number, but without any illusion that it's private or secret information. Your personnummer has the form YYYYMMDD-XXXX and is handed to you at birth. It is not changed, outside some very specific situations. It is used in all official communication with state, county, companies and the like. We have a number with a similar structure for organizations, but it does not stick to the date format making it trivial to tell them apart.

To combine with this we have a national authentication infrastructure known as BankID. The BankID is stand alone application based on public key cryptography. It is supplied to you by one of the major banks in Sweden. By using BankID you can authenticate against a website, proving that you are a holder of a specific personnummer. When I log in on the website of the tax authority to do my taxes I use BankID, for example.

These rather basic pieces of technology ensures we don't have rely on people telling us what color their first car was, or what bank they had their first mortgage in, to authenticate against a site handing out sensitive information. I think America have a lot to gain if something similar is implemented.

The problem is that huge segments of the American population are dead set against any kind of "citizen ID number", and have been for many decades. The reasons for resistance vary from crazy (it's The Mark of the Beast! The End is Nigh!) to reasonable (mandatory citizen ID numbers help enormously if you want to create a Big Brother surveillance state).

Also, requiring citizen ID numbers in certain situations can prevent the kind of anonymity that is crucial for political expression. This is being demonstrated in textbook fashion in China right now, where cell phone contracts now require them to record your official identification information. That would be innocuous where you and I live... but in China, it means you can no longer talk freely about political topics on the phone- you might suddenly disappear.

The problem is that huge segments of the American population are dead set against any kind of "citizen ID number", and have been for many decades. The reasons for resistance vary from crazy (it's The Mark of the Beast! The End is Nigh!) to reasonable (mandatory citizen ID numbers help enormously if you want to create a Big Brother surveillance state).

Well, you already have social security numbers, which seems to be used extensively as an national ID, with the only problem that people also seem to like to use it for authentication and a person can have multiple SS numbers. What is it that makes it more acceptable than a national id?

AreWeThereYeti wrote:

Also, requiring citizen ID numbers in certain situations can prevent the kind of anonymity that is crucial for political expression. This is being demonstrated in textbook fashion in China right now, where cell phone contracts now require them to record your official identification information. That would be innocuous where you and I live... but in China, it means you can no longer talk freely about political topics on the phone- you might suddenly disappear.

I personally believe that relying on keeping the state in line by making it less efficient is a very bad path to take. It doesn't do much to protect civil liberties and wastes a lot of resources. Lack of national ID is not exactly a big hindrance for a surveillance society... Because it is trivial assign everybody an ID in secret and then do mapping from other identifiers, such as social security numbers.

Laws, regulations and revolutions are much better methods to protect civil liberties.

I really wish there was a solution to the problem that we have at hand.

But the problem really does boil down to this. No matter how secure youmake it, no matter how much to try to limit exposure.

No matter what you do to avoid pitfalls, the minute you allow the masses touse it, if its not simple enough for the mouth breathers to use it, it won't work.

In my years of doing tech support, I've asked this question many times:

What is your email? Simple, to the point, effective, and not easily misunderstoodright?

Answers I have got: Social Security #'s, Credit Card #'s, Bank Account #'s, E-mail Passwords,Childrens names, and yes, maybe even one or three e-mail address.

The general public is abysmally unprepared for security. Just cause your dummy box has afruit logo on it, doesn't make you smarter, it just makes you think you are, so you're even more eligible to fall on your own sword of ignorance. The same goes for credit card securityand everything else.

Lots of people post their phone numbers and their choice of cars online. Once this information has been published, it's a permanent part of the internet record. What's to stop a savvy ID thief from dredging up that information years later?

For a regular person, you might have multiple usernames and people with the same name as you on a variety of different networks that make it hard to track down exactly who you are vs the person with the same name as you. Where as everyone knows a celebrity and they publish this kind of information extensively in magazines, gossip websites, on TV, etc, etc. Most regular ID thieves are not going to go to that length to find one specific person. They're going dumpster diving or stealing mail out of mailboxes to make a phoney credit card application so they can get some fast cash and then drop the account after they've burned through it.

obzilla wrote:

Colour me confused but how would they have got SSNs? wouldn't this mean access to another database? some sort of employee of a company they have all provided SSNs to? Or looking through the trash at their houses?

I'm not American, Where I live any personal identifiers are kept as a hard copy only I have access to. Obviously this may have been provided to banks etc. as proof of ID.

In the US a SSN is used for all sorts of different purposes. Some states put it on peoples drivers licenses, its used as an identification number when you enroll in school, if you apply for anything that requires a credit check (phone, car, house, etc), its on your banking statement, credit card accounts, if you've ever had a criminal record it will be linked to that, and probably more than I can think of off the top of my head. Many places will try and blur out part of a persons SSN for security reasons, but employers and schools are especially bad about putting it on just about every document thats associated with you, even sometimes using it as a password for your email or intranet login.

The first three digits of the SSN number indicate the state the person was born in, but the rest is unique for each individual. So, for a persistent person, its not something hard to get. Any good private investigator can get it using a little social engineering or background checks.

What's a good verification scheme that 1)Is easily implemented by the website, and 2)Practical for the majority of Americans to utilize?

Authenticate yourself to a third party that gives you a one time use token for the credit report. For example, login to your bank, credit card company, or mortgage lender's website and click the "free annual credit report" link, get your token, pop it in to the credit report site.

Perhaps I'm oversimplifying, but I know that I have a number of accounts that I already *have* to trust with SSNs and other information used to verify my identity on the credit card report sites. Why not leverage that relationship to give me access to the credit report site?

How about this: I can go to any bank or appropriate office (say, Social Security), and I get the credit report in person. Less convenient, I know, but positively more secure, because it adds the photo ID requirement.

How many ex-spouses turned stalkers have exploited things like this because of their detailed knowledge of their subject? How many "fraudsters" (what a silly term for criminals) would be stopped dead in their tracks by such a simple requirement?

Most states now require that you opt in, or allow you to opt out, of having the SSN printed on the license.

pogue wrote:

...its used as an identification number when you enroll in school, if you apply for anything that requires a credit check (phone, car, house, etc),

Unfortunate, but true.

pogue wrote:

...its on your banking statement, credit card accounts

You're implying that the SSN is printed in full on the statements, which I have never seen. It is used internally, by banks, to identify account holders.

pogue wrote:

...if you've ever had a criminal record it will be linked to that, and probably more than I can think of off the top of my head.

Also true. Because the SSN has become the de facto national ID number for U.S. citizens (this, because we won't pass a law to create a proper national ID), the SSN has been stretched far beyond its intended purpose.

pogue wrote:

Many places will try and blur out part of a persons SSN for security reasons, but employers and schools are especially bad about putting it on just about every document thats associated with you, even sometimes using it as a password for your email or intranet login.

This is - in my experience - an inaccurate statement, and under HIPPA it is illegal. Our employee records are stored in locked cabinets, behind locked doors, with limited access. We assign every employee a unique ID for paperwork and payroll. If your employer is not handling your personally identifiable information responsibly, complain loudly.

pogue wrote:

The first three digits of the SSN number indicate the state the person was born in, but the rest is unique for each individual. So, for a persistent person, its not something hard to get. Any good private investigator can get it using a little social engineering or background checks.

This used to be true, and for anybody over 30 it probably still holds true, but as the SS Administration got crunched for new numbers, things got more random. What I really hate is, it's still only 9 digits. SSA is recycling a lot of dead people's numbers, rather than adding digits to the SSN to generate new ones. Lots of businesses still ask for "the last four." That is, 44% of your SSN. If we can guess the first three from geography, and the last four from random verification, that leaves only two digits to figure out.

The problem is that huge segments of the American population are dead set against any kind of "citizen ID number", and have been for many decades. The reasons for resistance vary from crazy (it's The Mark of the Beast! The End is Nigh!) to reasonable (mandatory citizen ID numbers help enormously if you want to create a Big Brother surveillance state).

All three credit bureaus already have extensive files on most Americans (I think the number was 200 million?), including past addresses, phone numbers, vehicles you owned or leased, etc., etc.

Your credit card activity and cell phone activity can tell police where you've been and what you've been buying and who you've been talking to.

If you've ever had so much as a speeding ticket, there is a separate credit bureau-type database which holds those records, and can be included in background checks for insurance policies, and even for credit-worthiness in general.

Use anything other than cash to make purchases, and you are slowly de-anonymized by big data.

The companies that compile this data will happily hand it over to the government, often just for the asking.

Oh, and license plate cameras, which have been covered here on Ars and in other places.

Anyone who thinks that opposing a national ID will forestall a surveillance state must be smoking whacky weed.

The problem is that huge segments of the American population are dead set against any kind of "citizen ID number", and have been for many decades. The reasons for resistance vary from crazy (it's The Mark of the Beast! The End is Nigh!) to reasonable (mandatory citizen ID numbers help enormously if you want to create a Big Brother surveillance state).

Well, you already have social security numbers, which seems to be used extensively as an national ID, with the only problem that people also seem to like to use it for authentication and a person can have multiple SS numbers. What is it that makes it more acceptable than a national id?

AreWeThereYeti wrote:

Also, requiring citizen ID numbers in certain situations can prevent the kind of anonymity that is crucial for political expression. This is being demonstrated in textbook fashion in China right now, where cell phone contracts now require them to record your official identification information. That would be innocuous where you and I live... but in China, it means you can no longer talk freely about political topics on the phone- you might suddenly disappear.

I personally believe that relying on keeping the state in line by making it less efficient is a very bad path to take. It doesn't do much to protect civil liberties and wastes a lot of resources. Lack of national ID is not exactly a big hindrance for a surveillance society... Because it is trivial assign everybody an ID in secret and then do mapping from other identifiers, such as social security numbers.

Laws, regulations and revolutions are much better methods to protect civil liberties.

Er, note that I didn't say what my position on this was! I was simply stating what reality in the US is. I'm not opposed to a national ID, for many of the reasons you list.

But like many other Americans, I want to make sure NO MATTER WHAT that legal speech anonymity can be preserved as far as is possible. Of course the technological possibilities for violations of this are endless.

But that's the point: it is only the law that holds them back, so make SURE the law preserves paths for anonymous political speech.

BTW, assigning IDs secondarily using other criteria, is NOT equivalent to requiring ID numbers everywhere. Because one chills political speech, and the other does not. If you can create an anonymous commenter account and you only say one thing, data mining does nothing for you, other than regularities in what they wrote, which can be masked. If the ID is required to create the account because the law requires it or because, what the heck, everyone uses the ID number as their database index, 'cause gee that's handy, then your anonymity is shit-out-of-luck.

Up here, in the cold parts of northern Europe, we have a solution to this problem. It's known as personnummer and BankID.

Personnummer is a number that identifies a single human. Think social security number, but without any illusion that it's private or secret information. Your personnummer has the form YYYYMMDD-XXXX and is handed to you at birth. It is not changed, outside some very specific situations. It is used in all official communication with state, county, companies and the like. We have a number with a similar structure for organizations, but it does not stick to the date format making it trivial to tell them apart.

To combine with this we have a national authentication infrastructure known as BankID. The BankID is stand alone application based on public key cryptography. It is supplied to you by one of the major banks in Sweden. By using BankID you can authenticate against a website, proving that you are a holder of a specific personnummer. When I log in on the website of the tax authority to do my taxes I use BankID, for example.

These rather basic pieces of technology ensures we don't have rely on people telling us what color their first car was, or what bank they had their first mortgage in, to authenticate against a site handing out sensitive information. I think America have a lot to gain if something similar is implemented.

In the warmer middle European parts (Germany) there is a similar system with public-key craptography utilizing the National ID card. But since this requires separate and secure card readers that need to be bought personally, its usage is very low. Instead, one logs in with a semi-public id-number (Tax number for taxes, Medical-ID number for health services etc...) and any authentification is performed by sending a one-time activation pin by snail mail to the address already stored in the relevant databases.

There are more checks "under the hood" that are performed depending on the potential for harm of the underlying information (e.g. Taxes).

[In the warmer middle European parts (Germany) there is a similar system with public-key craptography utilizing the National ID card. But since this requires separate and secure card readers that need to be bought personally, its usage is very low. Instead, one logs in with a semi-public id-number (Tax number for taxes, Medical-ID number for health services etc...) and any authentification is performed by sending a one-time activation pin by snail mail to the address already stored in the relevant databases.

There are more checks "under the hood" that are performed depending on the potential for harm of the underlying information (e.g. Taxes).

One the reasons BankID has become very popular is that almost everybody has access to it. It requires no special hardware and it runs on Windows, OS X and Linux. There is also an alternative system (Mobile BankID) which is being rolled out. It relies on an Android/IOS application to sign transactions. The bank sends an authentication request to your mobile, which you use a pin to accept/deny. That way you don't need to install any software at all.

Ars has a picture of Al Gore, I wonder if that's supposed to be a hidden joke?, because his credit report looks pretty awful.

Looks like Paris Hilton has a fleet of Toyota's, likely all the same make and model to hide better, her monthly auto payment is $5600.

Both her and Britney seem to move around quite a bit, they will be moving again now. LOL

I´m certainly not the kind of guy who reads the yellow press but I do remember seeing a picture or short video recording of Ms. Hilton driving a Lexus LFA. I assume that explains the high car payments.

The first three digits of the SSN number indicate the state the person was born in, but the rest is unique for each individual. So, for a persistent person, its not something hard to get. Any good private investigator can get it using a little social engineering or background checks.

The 1st group of digits is based on the zip code where a social security number was *issued*, which may of may not be where a person was born (mine isn't.) Actually, it's based on zip code of the mailing address of the application, but in reality the numbers match to states and you have to apply locally, so it does the same thing.

The 2nd group of 2 digits is a "Group number." If you know approximately when a person applied for their number and their address, you could make a decent guess the group.

I´m certainly not the kind of guy who reads the yellow press but I do remember seeing a picture or short video recording of Ms. Hilton driving a Lexus LFA. I assume that explains the high car payments.

That, or she has a collection of pink Corollas in her living room.

The LFA was leased only to 'special' people at $12,400/mo with $300K due at signing.But, apparently she did get it from a then-boyfriend as a gift... special arrangement, I guess. As much as I hate linking to Jalopnik... http://jalopnik.com/paris-hilton-pays-5 ... -453384313

Garst wrote:

Would it be unreasonable to make it illegal for any company from asking for a person's social security number for anything other than for reporting an individual's income if the person is an employee of said company? You know like the original intended purpose of the social security number?

I am uncomfortable enough when my insurance company asks for my SSN, but when my cell phone carrier wants to know... that's just not right.

in an age of Internet search engines and social media, the level of skill required to illegally access someone else's data is shockingly low. Much of the information the credit agencies use to confirm visitors' identities—for instance the street or county of a former address or the year a home mortgage was obtained—is readily available or at least inferred online.

Dan Goodin wrote:

It may be possible that the people who used annualcreditreport.com to illegally access information in credit databases were sophisticated. But there's just as good a chance they were astute social networkers who got lucky.

I'm not sure I would characterize the hack or the perpetrators as unskilled/unsophisticated/lucky. Not necessarily, not based on how I'm reading the article. The hack may not have been technically sophisticated in that they may not have needed to exploit bugs in vulnerable software to conduct a privelage escalation et cetera. Fair enough, but that's really only one piece of the puzzle isn't it?

This seems more like an attack on the system rather than the software. It was pulled off using the kind of sleuthing/information gathering I associate more with investagative reporters or academic researchers than with prototypical script kiddies. I'm speculating wildly here, but I can imagine a group of 2-4 Anons working a couple of hours a day over a month or so to put the whole thing together. That's hardly VUPEN-level work but it's not point-and-click stupid either.